Potential problems with third-party Web plugins

[harlan4096]

Online stores, information portals, and other resources are often based on platforms that provide developers with a set of ready-made tools. Our blog, for example, is built along those lines. Features are usually made available in the form of plugins, allowing users to add them as required. On the one hand, it’s a convenient system that avoids forcing developers to reinvent the proverbial wheel every time they need a particular tool or feature. On the other hand, the more third-party developments on your website, the higher the risk that something might go awry.

The problem with plugins

A plugin is a small software module that either adds to or improves a website’s functionality. There exist plugins that display social network widgets, harvest statistics, and create surveys and other types of content, to name just a few.

If you connect a plugin to your website’s engine, it runs automatically and bothers you only if an error occurs in its operation — that is, if somebody notices the error. Therein lurks the danger of such modules: If the creator abandons their plugin or sells it to another developer, you will likely not notice a thing.

Leaky plugins

Plugins that have not been updated for years are likely to contain unpatched vulnerabilities that could be exploited to take control of a website or download onto it a keylogger, cryptocurrency miner, or whatever the cybercriminals fancy.

Even when updates are available, website owners often overlook them, and vulnerable modules can remain active years after support for them is withdrawn.

Sometimes plugin creators patch vulnerabilities, but for whatever reason the patches are not automatically installed. For example, in some cases module authors simply forget to change the version number in the update. As a result, clients who relied on automatic updating instead of checking for updates manually were left with outdated plugins.

Plugin substitution

Some website content management platforms block the download of modules that are no longer supported. However, it is not possible for a developer or platform to delete vulnerable plugins from users’ websites; that could cause disruption or worse.

What’s more, abandoned plugins might be stored not on the platform itself, but on publicly available services. When the creator discontinues support or deletes a module, your website continues to access the container in which it was located. But cybercriminals can easily capture or clone this abandoned container, and force the resource to download malware instead of the plugin.

That is precisely what happened with the New Share Counts tweet counter, hosted in Amazon S3 cloud storage. When support for the plugin was withdrawn, the developer posted a message to that effect on its website, but more than 800 clients did not read it.

A while later, the plugin writer closed the container on Amazon S3, and cybercriminals pounced. They created storage with the exact same name and placed inside it a malicious script. Websites still using the plugin began to load the new code, which redirected users to a phishing resource promising a prize for taking a survey, instead of the tweet counter.

Continue Reading